puzzling iptables/dns problem

irony · Posted: Mon Feb 03, 2003 6:37 pm Post subject: puzzling iptables/dns problem

To preface, I have two boxes running gentoo on seperate subnets of a large university network. Both boxes have identical nic cards (eepro100), but no other hardware in common. Both are configured with a static ip. Both have an identical kernel configuration for networking options. Both use the same nameservers.
I use essentially the same firewall script on both boxes, modifying only the ip, broadcast and gateway variables, which are used in some specific rules (listed below). On one box, everything works fine, things are filtered as they should be, connections are made, dns is found, and all is well. On the other box, when the firewall is running, no dns information gets through. Traffic on lo is fine, if I specify a numeric ip address, connections are established. When the firewall isn't running, dns works fine.
The other puzzling thing is that no packets show up under "iptables -L -n -v". Since dns doesn't seem to be getting out, I thought the problem might be the rules related to dns, but the packets should be showing up under the rule that's dropping them, but nada.
Just in case, here are the relevant rules (which work fine on the other server):
($IPTABLES is the path to iptables, $INTERNET=eth0, $NAMESERVER_1 and $NAMESERVER_2 are the ip's for the two nameservers)

rtn · Guru Joined: 15 Nov 2002 Posts: 427

Have you tried setting up an iptables LOG statement to try and isolate the issue?

--rtn, also from CT.

irony · Posted: Mon Feb 03, 2003 9:24 pm Post subject:

No, I haven't tried logging it, but I suspect it wouldn't show anything, since no packets are showing up on any rules.
_________________
"and if rain brings winds of change, let it rain on us forever..."

rtn · Guru Joined: 15 Nov 2002 Posts: 427

Matje · Posted: Mon Feb 03, 2003 11:50 pm Post subject:

If you are 100% sure that both scripts are exactly the same, there are only 2 possibilities I see:
1. Your $ - variables are wrong
2. The kernel on the second box is wrongly compiled. Cross check both kernels if they have the same config for netfiltering
_________________
Life is like a box of chocolates... Before you know it, it's empty...

irony · Posted: Tue Feb 04, 2003 1:40 am Post subject:

I'm beginning to suspect the problem might be with the broadcast/gateway information they've given me. I'll check on this tomorrow.

I double checked the kernel again, even re-compiled just in case, and no change. I also copied the script from the working box to the other, changed each variable again, and still no love.

I can send tcp packets to the dns servers, but only if I specify a numeric ip. Do I need to specify the dns servers in some configuration file, like /etc/init.d/net?
_________________
"and if rain brings winds of change, let it rain on us forever..."

Matje · Posted: Tue Feb 04, 2003 2:11 pm Post subject:

Off course you need your dns-servers in /etc/resolv.conf
_________________
Life is like a box of chocolates... Before you know it, it's empty...

irony · Posted: Tue Feb 04, 2003 2:42 pm Post subject:

Had the wrong nameservers in resolv.conf - so when the firewall wasn't running, dhcp wasn't blocked, and it could still resolve addresses.

Thanks for all the help.
_________________
"and if rain brings winds of change, let it rain on us forever..."